Wireshark · Wireshark-dev: Re: [Wireshark-dev] Why the name "Wiretap"?

Wireshark-dev: Re: [Wireshark-dev] Why the name "Wiretap"?

From: Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>

Date: Fri, 28 Sep 2012 13:23:16 -0700

The README in the wiretap library is as ancient as the intention that it be a replacemente to libpcap. It says:

Wiretap is a library that is being developed as a future replacement for

libpcap, the current standard Unix library for packet capturing. Libpcap

is great in that it is very platform independent and has a wonderful

BPF optimizing engine. But it has some shortcomings as well. These

shortcomings came to a head during the development of Wireshark

(http://www.wireshark.org/), a packet analyzer. As such, I began developing

wiretap so that:

Hence the name. However, it immediately became more useful to simply read a variety of packet-capture file formats, and that's the direction it went, w/o a name change.

Cheers,

Gilbert

On Fri, Sep 28, 2012 at 12:59 PM, <robert.bullen@xxxxxxxxxx> wrote:

I've always found it confusing that a library responsible for reading and writing trace files is called wiretap, since it deals with neither the wire nor tapping. Could someone fill me in on the history of that name?

Robert Bullen
Network Application Analysis (NAA)
1 Meridian Crossing
Richfield, MN 55423-3978
Office: 612-973-6216
Email: robert.bullen@xxxxxxxxxx

From: wireshark-dev-request@xxxxxxxxxxxxx
To: wireshark-dev@xxxxxxxxxxxxx
Date: 09/28/2012 02:01 PM
Subject: Wireshark-dev Digest, Vol 76, Issue 44
Sent by: wireshark-dev-bounces@xxxxxxxxxxxxx

Send Wireshark-dev mailing list submissions to wireshark-dev@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-devor, via email, send a message with subject or body 'help' to wireshark-dev-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-dev-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-dev digest..." Today's Topics: 1. converting pcapng to pcap (Albert Lo) 2. Re: Do Windows compilers require WS_VAR_IMPORT in .h files (Joerg Mayer) 3. Re: converting pcapng to pcap (Jakub Zawadzki) 4. Re: Building for Windows without zlib? (Guy Harris) 5. Re: converting pcapng to pcap (Guy Harris) 6. Re: converting pcapng to pcap (albert) 7. Re: [Wireshark-commits] rev 45191: /trunk/ /trunk/epan/dissectors/: packet-btsap.c /trunk/: CMakeLists.txt (Guy Harris) ---------------------------------------------------------------------- Message: 1 Date: Fri, 28 Sep 2012 17:39:01 +0000 From: Albert Lo <ALo@xxxxxxxxxxxxxx> To: "wireshark-dev@xxxxxxxxxxxxx" <wireshark-dev@xxxxxxxxxxxxx> Subject: [Wireshark-dev] converting pcapng to pcap Message-ID: <E5E4E6B17F036444A5A4D70F62B8739922CB2290@xxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" I would like to know where I can find the source files for editcap. What libpcap API's are being called to convert .pcapng to .pcap with the following cmd? >editcap -F libpcap -T ether file.pcapng file.pcap Thx. Cheers, Albert -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.wireshark.org/lists/wireshark-dev/attachments/20120928/f628a007/attachment.html> ------------------------------ Message: 2 Date: Fri, 28 Sep 2012 19:40:29 +0200 From: Joerg Mayer <jmayer@xxxxxxxxx> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> Subject: Re: [Wireshark-dev] Do Windows compilers require WS_VAR_IMPORT in .h files Message-ID: <20120928174029.GD8105@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="utf-8" Hello Pascal, On Fri, Sep 28, 2012 at 05:25:41PM +0200, Pascal Quantin wrote: > 2012/9/28 Joerg Mayer <jmayer@xxxxxxxxx> > > I'm working on building wireshark with gcc with -fvisibility=hidden. This > > will mostly mimic the behaviour already on Windows. The gcc attribute > > to change the visibility causes errors when used in .h files (well, in > > declarations without a the object). > > I have replaced WS_VAR_IMPORT with extern in .h files. Can someone on > > Windows > > please test whether this still works? > > it fails with the following errors (MSVC2010EE 32 bits): Can you please apply the attached patch on top of the previous one to check whether this fixed the compile problem in packet-dcom.c? If it does, I will rework the whole patch in the same manner. Thanks for testing! Ciao J?rg -- Joerg Mayer <jmayer@xxxxxxxxx> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. -------------- next part -------------- A non-text attachment was scrubbed... Name: dcom-dot-c.patch Type: text/x-diff Size: 805 bytes Desc: not available URL: <http://www.wireshark.org/lists/wireshark-dev/attachments/20120928/a37f0f59/attachment.patch> ------------------------------ Message: 3 Date: Fri, 28 Sep 2012 19:54:09 +0200 From: Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> Subject: Re: [Wireshark-dev] converting pcapng to pcap Message-ID: <20120928175409.GE1989@xxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii Hi, On Fri, Sep 28, 2012 at 05:39:01PM +0000, Albert Lo wrote: > What libpcap API's are being called to convert .pcapng to .pcap with the following cmd? We use our own library (wiretap) to read and write capture files. ------------------------------ Message: 4 Date: Fri, 28 Sep 2012 11:05:22 -0700 From: Guy Harris <guy@xxxxxxxxxxxx> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> Subject: Re: [Wireshark-dev] Building for Windows without zlib? Message-ID: <6A5D75F4-6762-4A3F-B456-006B284110F1@xxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Sep 28, 2012, at 7:47 AM, robert.bullen@xxxxxxxxxx wrote: > I build Wireshark for Windows without zlib. It works faster, but I think that is more the result of consuming less memory than an actual speed increase. At least with the new compressed-file code as of 1.6, it shouldn't consume more memory (other than for zlib itself, which shouldn't be invoked for uncompressed files except when the file is opened, and maybe for a few data structure members) for an uncompressed file. If it's doing that, file a bug. > In addition, it allows files larger than 2 GB to be read (at least that used to be a reason; not sure if it is still valid). That should be fixed in the Wiretap library as of 1.6 - the new code for reading files doesn't use the zlib I/O routines, and uses routines that should support 64-bit file offsets if the underlying OS does (which includes 64-bit platforms and, I think, most if not all recent versions of various UN*Xes, and NT versions of Windows). However, a file larger than 2GB might has enough packets that the frame_data structures might fill up a 32-bit address space, and there's a bug, fixed only recently, where, at least on Windows, we were imposing 32-bit limits on 64-bit address spaces. ------------------------------ Message: 5 Date: Fri, 28 Sep 2012 11:11:14 -0700 From: Guy Harris <guy@xxxxxxxxxxxx> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> Subject: Re: [Wireshark-dev] converting pcapng to pcap Message-ID: <1AD03A96-D583-434D-840C-DF3A0A067F66@xxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Sep 28, 2012, at 10:39 AM, Albert Lo <ALo@xxxxxxxxxxxxxx> wrote: > I would like to know where I can find the source files for editcap. > What libpcap API's are being called to convert .pcapng to .pcap with the following cmd? > > >editcap -F libpcap -T ether file.pcapng file.pcap As Jakub noted, we don't use libpcap to read or write capture files. However, if you convert pcap-ng to pcap with the command tcpdump -r file.pcapng -w file.pcap on a system with libpcap 1.1.0 or later, the APIs used are pcap_open_offline(), to open the input file; pcap_loop(), to read the packets; pcap_close(), to close the input file; pcap_dump_open(), to open the output file; pcap_dump(), to write to the output file; pcap_dump_close(), to close the output file. That will, of course, only work if the file can actually be converted to pcap without damaging it, i.e. if all the interfaces in the pcap-ng file have the same link-layer type. If they don't, the file cannot be represented in a pcap file in any form that will actually give the write answer if you try to read it (so "-T ether" isn't going to fix that problem with editcap). ------------------------------ Message: 6 Date: Fri, 28 Sep 2012 18:43:29 +0000 (UTC) From: albert <alo@xxxxxxxxxxxxxx> To: wireshark-dev@xxxxxxxxxxxxx Subject: Re: [Wireshark-dev] converting pcapng to pcap Message-ID: <loom.20120928T203756-894@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii Guy Harris <guy@...> writes: > > > However, if you convert pcap-ng to pcap with the command > > tcpdump -r file.pcapng -w file.pcap > > on a system with libpcap 1.1.0 or later, the APIs used are > > pcap_open_offline(), to open the input file; > > pcap_loop(), to read the packets; > > pcap_close(), to close the input file; > > pcap_dump_open(), to open the output file; > > pcap_dump(), to write to the output file; > > pcap_dump_close(), to close the output file. > Thank you for the prompt response. If you could tolerate a couple more newbie questions..... I'm assuming that the meat of the .pcapng to .pcap conversion is done in the pcap_handler callback for pcap_offline_read(). Is this correct ? If so, how/where does the callback function for pcap_offline_read() get pre- assigned? Much appreciated for your time in this matter. Cheers, Albert ------------------------------ Message: 7 Date: Fri, 28 Sep 2012 11:52:45 -0700 From: Guy Harris <guy@xxxxxxxxxxxx> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> Subject: Re: [Wireshark-dev] [Wireshark-commits] rev 45191: /trunk/ /trunk/epan/dissectors/: packet-btsap.c /trunk/: CMakeLists.txt Message-ID: <96273A0C-2E67-4ECF-BC64-F93DF83AC871@xxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Sep 28, 2012, at 7:29 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote: > I had been assuming that we needed to continue to define HAVE_CONFIG_H > for backwards compatibility (e.g., for custom dissectors). I'm not entirely sure what the point of HAVE_CONFIG_H is. Is it to allow code to be "portable" between an autoconfig environment that uses config.h and other build tool environments (including autoconfig-based environments) that use -D's in the compile commands? The autoconf documentation doesn't really give an indication of the purpose of HAVE_CONFIG_H or an indication of what the "best practice" is. ------------------------------ _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxxhttps://wireshark.org/mailman/listinfo/wireshark-devEnd of Wireshark-dev Digest, Vol 76, Issue 44 *********************************************

U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.

---------------------------------------------------------------------

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-dev] Why the name "Wiretap"?
  - From: Jakub Zawadzki

References:
- [Wireshark-dev] Why the name "Wiretap"?
  - From: robert . bullen

Prev by Date: Re: [Wireshark-dev] Do Windows compilers require WS_VAR_IMPORT in .h files
Next by Date: Re: [Wireshark-dev] Why the name "Wiretap"?
Previous by thread: [Wireshark-dev] Why the name "Wiretap"?
Next by thread: Re: [Wireshark-dev] Why the name "Wiretap"?
Index(es):
- Date
- Thread